Yep, it's a new security measure by Apple, called UAMDM:

https://support.apple.com/en-us/HT208019

@RLim945 that link you have doesn't send me anywhere

i found this uamdm

so basically i'll have to manually approve it

@tcandela Yes you 100% have to manually approve it. ARD cannot approve it, Jamf Remote cannot, scripts cannot. The user has to. It's like Supervision for macOS

This is only required if on a Mac whose MDM enrollment is not done through DEP. Since you can already manage security-sensitive settings on devices whose MDM enrollment is performed via DEP, User Approved enrollment is unnecessary for these devices.

Tobias, that would be amazing if it was working that way, but unfortunately with our DEP enrolled systems we are still seeing that accept button on the profile at the client side.

@ahovsepyan It's not me making this up. This is directly from the official Apple website:

https://support.apple.com/en-us/HT208019

So you should probably look into the matter with Jamf Support. Perhaps something is wrong with your DEP setup.

@tobiaslinder check the link you posted, the actual URL is this discussion

I have some users that will do the enrollment themselves and struggled with how to complete that part. I use this script to Kindly ask them to do it for me.

#!/bin/bash



# This script displays a message that lets the user know that 

# enrollment has finished. It is set 

# to the lowest priority to ensure that it runs last after all 

# other scripts and policy actions.



open /System/Library/PreferencePanes/Profiles.prefPane

sleep 3



# Determine OS version

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')



dialog="Your Mac has now been enrolled in the AEP JAMF MDM Solution. Please Approve to MDM Profile to continue. After you have approved the profile please restart your machine at your earliest convenience."

description=`echo "$dialog"`

button1="OK"

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns"



if [[ ${osvers} -lt 7 ]]; then



  "$jamfHelper" -windowType utility -description "$description" -button1 "$button1" -icon "$icon"



fi



if [[ ${osvers} -ge 7 ]]; then



  jamf displayMessage -message "$dialog"



fi



exit 0

So this fundamentally changes quickadd to a two-step process? I have to run quickadd package, enter admin creds, then have user goto profiles and click approve? Does JAMF have an official answer on this?

Thanks for the script @ammonsc! This is very helpful. I will use this with my remote users.

so Just to confirm again - this doesn't seem to be in the latest documentation - how does JAMF advise customers address this approval step for non DEP machines? Quickadd used to be a one step solution - now it's multiple steps. JAMF? Any feedback here?

@ober,

Join the beta program... and I'm not 100% sure any MDM provider can do anything ... The real hope is that Apple allows us to add machines to DEP just like iPhones.

C

Apple has built this to require either DEP or a user to physically click the button. Currently, JAMF can't do much about it, but based on the 10.3 beta info they've revealed I think they are building an approval step into the enrollment process. I don't know what that looks like, but it might just be beating the user over the head until they click the button and proceed.

On my end, I'm going to have to restrict everything in Self Service to require MDM approval via policy scoping. Conditional Access, basically, where literally nothing can happen until it's approved. I hope JAMF builds this into the product with a UI/UX that is designed to support that with good messaging to the user.

I'm going to have to restrict everything in Self Service to require MDM approval via policy scoping.

@alexjdale What are you using to scope this? Currently I have my script set as part of a Post Enrollment policy. But, I would like this to continue to run if the user has not approved it.

The Jamf's solution in 10.3 is very nice... i'm not going to plan on putting old machines back in to DEP even if Apple allows it.. not worth the extra work compared to Jamf's new workflow..

C